the internet of things: privacy and security...
TRANSCRIPT
The Internet of Things: Privacy and Security IssuesSecurity IssuesStefan SchiffnerNIS expert, ENISA
European Union Agency for Network and Information Security www.enisa.europa.eu
ENISA’ Mi iENISA’s Mission
European Union Agency for Network and Information Security www.enisa.europa.eu
Securing Europe’s Information Society
Operational Office in Athens
European Union Agency for Network and Information Security www.enisa.europa.eu
Seat in Heraklion
ENISA activities
Policy ImplementationRecommendations
MobilisingCommunities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu
Privacy in the internet of thingsthings
European Union Agency for Network and Information Security www.enisa.europa.eu
What is the internet of things?
• Network of interconnected objectsfor data processingfor data processing– Cyber physical– Self configurationSelf configuration
• Specialized & Embedded– Seamless integration – Reduced HCI
• Multiple stake holders– For common or individual goals
• Integrated in legacy systemsO i i d d t i f t t
European Union Agency for Network and Information Security www.enisa.europa.eu 6
• Or in independent infrastructure
Privacy concerns
• An object can reveal information about the individual
• IoT introduces new ways of collecting and processingIoT introduces new ways of collecting and processing such information from objects:– collection of data from different sources– correlation and association– > abuse potentialS i i d h
European Union Agency for Network and Information Security www.enisa.europa.eu 7
• Storing is easy and cheap
Security concerns
• Objects are small and everywhere– Prone to environmental influences– Unprotected places (unnoticed manipulation)Weak calculation power (limited crypto)– Weak calculation power (limited crypto)
• Autonomous– Acting without user awareness
European Union Agency for Network and Information Security www.enisa.europa.eu 8
Acting without user awareness
The data protection challenge and requirements and requirements
European Union Agency for Network and Information Security www.enisa.europa.eu
Trust assumption for crypto
tr stedtrustedenvironment
trustedenvironment
protected communication
adversairialenvironment
European Union Agency for Network and Information Security www.enisa.europa.eu 10
Security silos
• The world is divided in In and Out group• They might be nested and intersecting• complex structures• Rather static• Administrative overhead• Administrative overhead• Fragile
European Union Agency for Network and Information Security www.enisa.europa.eu 11
To avoid new silos we need:
• Reduction of management burden wrt security and i li iprivacy policies
• Dynamic Automatic negotiation of policies• Resilience• Resilience• Leads to new (priority) of requirements
European Union Agency for Network and Information Security www.enisa.europa.eu 12
Control
• How to obtain informed consent?– How can information be presented? – How can individuals have overall control over their data?
European Union Agency for Network and Information Security www.enisa.europa.eu 13
data?
Liability and enforcement
• Who is responsiblep• How can rights be exercised
– access, deletion• How can data be safeguarded
– Detection of attacks and damages
European Union Agency for Network and Information Security www.enisa.europa.eu 14
Data Protection requirements
• Privacy & security by design• Purpose limitation
– no use beyond predefined purposes• Data minimization:
collect & process only necessary data– collect & process only necessary data– anonymize or delete data after use
• Distributed protection modelsDistributed protection models– move away from walled gardens– multi layer security– Resilience
• Automated decisions
European Union Agency for Network and Information Security www.enisa.europa.eu 15
The role and needs for standards
• Privacy – as part of the IoT ontologies and semantics
• New protection protocols• As an integral control mechanism for the development
and implementation of M2M architecturesand implementation of M2M architectures
European Union Agency for Network and Information Security www.enisa.europa.eu 16
ENISA’s work on IoT & data protectionprotection
European Union Agency for Network and Information Security www.enisa.europa.eu
ENISA activities
Policy ImplementationRecommendations
MobilisingCommunities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu
Current activities
• Support all involved stakeholders in the translation of legal requirements to technical solutions:requirements to technical solutions:
• Privacy by design and by default– Technical tools and mechanisms for information and control
– Privacy Principles A i ti d d i ti t h i– Anonymisation and pseudonymisation techniques
• Technical protection measures– Cryptographic algorithms parameters key sizesCryptographic algorithms, parameters, key sizes
European Union Agency for Network and Information Security www.enisa.europa.eu 19
Published Reports– Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/survey‐pat
– Privacy, Accountability and Trust – Challenges and Opportunities (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/privacy‐and‐trust/pat/activities‐initiated‐in‐2010
– Bittersweet cookies. Some security and privacy considerations (2011)http://www enisa europa eu/activities/identity‐and‐trust/library/pp/cookieshttp://www.enisa.europa.eu/activities/identity and trust/library/pp/cookies
– Study on the use of cryptographic techniques in Europe (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/the‐use‐of‐cryptographic‐techniques‐in‐europe
– Report on trust and reputation models (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/trust‐and‐reputation‐models
– Study on monetising privacy. An economic model for pricing personal information (2012)h // i / i i i /id i d /lib /d li bl / i i ihttp://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/monetising‐privacy
– Study on data collection and storage in the EU (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/data‐collection
– Privacy considerations of online behavioural tracking (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/privacy‐considerations‐of‐online‐behavioural‐tracking
– The right to be forgotten – between expectations and practice (2012)The right to be forgotten between expectations and practice (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/the‐right‐to‐be‐forgotten
– Security certification practice in the EU ‐ Information Security Management Systems ‐ A case study (November,2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/security‐certification‐practice‐in‐the‐eu‐information‐security‐management‐systems‐a‐case‐study
– Algorithms, Key Sizes and Parameters Report. 2013 Recommendations (October 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report
– Recommended cryptographic measures ‐ Securing personal data (November 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/recommended‐cryptographic‐measures‐securing‐personal‐data
– Securing personal data in the context of data retention. Analysis and recommendations (December 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/securing‐personal‐data‐in‐the‐context‐of‐data‐retention
– On the security, privacy and usability of online seals. An overview . (December 2013)http://www enisa europa eu/activities/identity and trust/library/deliverables/on the security privacy and usability of online seals
European Union Agency for Network and Information Security www.enisa.europa.eu 20
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/on‐the‐security‐privacy‐and‐usability‐of‐online‐seals
Thank you very much for your attention
Follow ENISA:
www.enisa.europa.euEuropean Union Agency for Network and Information Security